On Death of Defense in Depth and Life To Digital Maoism
Digital Maoism: The Hazards of the New Online Collectivism, work of author Jaron Lanier means to impress that the new faceless Internet community has already brought about death to individuality and creativity. Back in August, I pondered what if his ideas were applied to information security. And now, we have TK proclaiming the death of Defense in Depth and life to Defense in Diversity. Are we to believe that following the hive mind of best practices is doom and not boom?
The goals of our work speak loudly:
Share information
Establish best practices
Deliver on that gold standard
Reduce overheard
Create a seemingly secure looking hive
The outcome: reduced risk
Many of us recently spent a week at RSA. Anyone who spent more than 10 minutes on the exposition floor walked away inundated with compliance acronyms – PCI, SOX, HIPAA, FISMA, GLBA. In fact, there is an entire conference track called “standards”. Outside of security specifically, we live by standards – the RFC, Task Forces, Consortiums, Steering Groups, you name it. The goal is simple; deliver on a mostly unified practice, theory or protocol such that we can all intercommunicate. The basis of shared knowledge. Perhaps you might take it a step further and say that standards are at the core of the Internet.
We live by standards, we aim to deliver the McDonalds of security – build the best burger once in the lab once and mass-produce everywhere. Are we to believe that great thinkers of our day like TK and Jaron Lanier are telling us to quit conforming? To what degree should we be applying their warnings and suggestions?
Obviously neither TK nor Lanier has specifically said to go about modifying how each of our systems implements TCP. In fact, modification of your TCP code would probably then make your implementation “TC” as the word Protocol infers the following of a standard. More in general, however, it’s fair to say that both believe that a monoculture or monotonic organism (the specie) will eventually bring about the fall of what we admire.
Though TK provides a valid argument and interesting discussion topics, he unfortunately fails to provide us with task-oriented examples. Simply saying to “decouple the server from the service” or his analogy of load balancers and server farms really provide little direction for security operations. As for Lanier, wouldn’t the hive of one community become an organism onto itself? The new larger organism would represent diversity from other community organisms. The same is true for security. Obviously each company will produce its own cheeseburger of the security standard. In fact, it’s fair to say that each business unit of each organization delivers their own menu. Its not that we aren’t working towards diversity, its just that the set becomes larger.
Let us return to the threat model. Microsoft products have inherited a larger threat model because of two factors. First, the set is large and the potential payoff is promising. As that grows, so do the number of threat vectors. It’s self-feeding logarithmic equation…an organism onto itself. I put forward that we are the cusp of the same model for compliance initiatives. As each entity (the organization, network, systems or services) become more compliant, the diversity of the set dwindles producing a larger more threat capable set. More persons will work towards delivering threats to the set. A single successful attack vector spells doom for many sets. In this regard, the more we following the same set of compliance initiatives, the larger the threat.
As TK noted, it’s important to understand “just because it cannot be implemented in your current system does not make the principle wrong.” Too often we are forced into a situation where we must take the principle and find a way to implement. However, it’s those persons who make the leap from thought to action are the names we remember in history.
